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(54) Method and apparatus for incremental delivery of access rights 



(57) Incremental delivery of authenticated access 
rights to an access control processor is provided. Sub- 
groups of the access rights are communicated to the 
processor in a plurality of messages. The subgroups are 
stored in different data banks within the processor and 
validity designations associated with the data banks indi- 



cate whether the data currently stored therein has been 
authenticated under a cryptographic key currently in use. 
Access under a particular key is limited to that provided 
by access rights contained in storage banks having a 
validity designation in a valid state for that key. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates generally to security s 
apparatus for information processing systems, and more 
particularly to the inaemental delivery of authenticated 
access rights to an access control processor. The inven- 
tion is particularly useful in connection with the secure 
transmission of premium television services via satellite io 
or cable, but is not limited to such applications. 

There are many schemes available for controlling 
access to electronic signals, such as those providing pre- 
mium television services. Such schemes are necessary 
to maintain security, for example in subscription televi- is 
sion systems such as cable television and satellite tele- 
vision systems. Typically, a system subscriber is 
provided with a decoder connected between a television 
signal source (e.g., cable feed or satellite receiver) and 
a television set. Each subscriber's decoder is remotely 20 
accessed by the system operator to enable or disable 
the receipt of specific services such as the Home Box 
Office (HBO) movie channel or special pay-per-view 
sports events. One problem with such systems is that 
"pirates" may attempt to break the system security and 2s 
sell tlack boxes" that enable the reception of all pro- 
gramming without paying for the services received. It has 
been difficult and expensive for system operators to con- 
tend with the piracy problem. 

Various systems have been designed to make piracy 30 
more difficult. One such system is disclosed in US, pat- 
ent no. 4,613,901 to Qilhousen, et al. entitled "signal 
Encryption and Distribution System for Controlling 
Scrambling and Selective Remote Descrambling of Tel- 
evision signals." In the Gilhousen, et al. scheme, various 3S 
cryptographic keys are used to provide an encrypted tel- 
evision signal. Among the keys described are category 
keys, each common to a different subset of subscriber 
decoders. It is also known to provide program keys, in 
which each television program has a specific key asso- 40 
ciated therewith thai is necessary to descrambie or 
decrypt the particular program signal. 

U.S. patent 5,1 15,467 to Esserman. et al. entitled 
"Signal Encryption Apparatus for Generating Common 
and Distinct Keys" also deals with the security issue. The 4S 
generation of various different types of keys and their use 
is disclosed in the patent. 

An example of a prior art communication system 
using encrypted category keys and program keys is the 
VideoClpher® 11+ scrambling system produced and so 
licensed by General Instrument Corporation of San 
Diego, California to provide encrypted satellite television 
communication. The encrypted category key is derived 
from a category key. a unit key specific to a subscriber 
decoder, and access rights defining which services the ss 
particular subscriber is entitled to receive. The access 
rights are authenticated in the category key, which gen- 
erally changes monthly. 



In the VideoCipher 1 1+ system, and other known sys- 
tems, it has been necessary to provide the authenticated 
access rights with the encrypted category key in a single 
"category rekey" message. The access rights may be 
many bytes in length. Each category rekey message has 
a limited lengtii. For example, category rekey messages 
in a particular system may be limited to two hundred 
bytes. Such limitations are typically required by the size 
of the buffer (e.g. RAM) which receives the message in 
the access control processor If the number of bytes 
required to define access rights were to become too 
large, a single category rekey message could not hold 
the full description. 

It would be advantageous to provide an access con- 
trol system in which access rights can be delivered incre- 
mentally, in more than one category rekey message. It 
would be further advantageous to provide such a system 
tiiat would operate even after only a partial set of access 
rights has been received. It would be still furtiier advan- 
tageous to provide such a system ttiat can receive partial 
sets of access rights in any order, without adversely 
affecting system operation. 

The present invention provides a system for incre- 
mentally delivering access rights having the aforemen- 
tioned and other advantages. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, a method 
is provided for inaementally delivering authenticated 
access rights to an access control processor. Data defin- 
ing the access rights is divided into a plurality of sub- 
groups. The subgroups are transmitted to tiie processor 
as authenticated data in a plurality of messages. A cur- 
rent cryptographic key is derived using the autiienticated 
data contained in a current message upon receipt of that 
message by the processor. Each of the subgroups is 
stored in a con^espondng storage bankof the processor. 
Each,*of the storage banks has a validity designation 
associated therewith for said cryptographic key. The cur- 
rent cryptographic key is compared to a cryptographic 
key from a prior message under which subgroups stored 
in tiie storage banks were authenticated to determine if 
ttie keys match. If the keys match, the validity designation 
for that key is set to a valid state for each storage bank 
that is storing data authenticated by tiie current mes- 
sage, without changing the key's validity designation for 
any otiier storage bank. If the keys do not match, tiie 
validity designation for that key is set to a valid state for 
each storage bank that is storing data autiienticated by 
tiie cunrent message, and tiie validity designation for that 
key is set to an invalid state for all other storage banks. 
As used herein, the act of setting a validity designation 
to a valid state is intended to include tiie act of simply 
maintaining or leaving unchanged a validity designation 
tiiat is already in the valid state. Likewise, setting a valid- 
ity designation to an invalid state may only require that a 
prior invalid state be maintained without actually reset- 
ting tiie validity designation. Access (e.g, to particular tel- 
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evision programs) under the current cryptographic key is 
limited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
state for that key. 

In one implementation of the present invention, first s 
and second different cryptographic keys under which 
access rights are authenticated are maintained by the 
access control processor at the same time. Each of the 
storage banks is provided with a first validity designation 
for ttie first key arxJ a second validity designation for the 10 
second key. Access via a particular one of the keys is 
limited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
state for that key. 

One or more of the plurality of messages can can^y is 
a replacement for one of the first and second keys, 
together witii one or more subgroups authenticated 
under the replacement key. Each of the subgroups trans- 
mitted witfi the replacement key is stored in a corre- 
sponding one of the storage banks. The validity 20 
designation for the replacement key is set to a valid state 
for those storage banks holding a subgroup authenti- 
cated under the replacement key. The validity designa- 
tion for the replacement key is set to an invalid state for 
those storage banks hoMing a subgroup ttiat was not 25 
authenticated under the replacement key. The validity 
designation for the key that was not replaced will remain 
unchanged for those storage banks holding a subgroup 
authenticated under that key. The validity designation for 
the key that was not replaced is set to an invalid state for so 
those storage banks holding a subgroup that was not 
authenticated under that key. The message carrying the 
replacement key can also canry a duplicate of the key 
that was not replaced. In a preferred embodiment, 
replacement keys are transmitted on a periodic basis, ss 
For example, a new "category key" for use during the next 
month can be transmitted while the category key for the 
current nrK3nth is still maintained by the access contol 
processor. 

The present invention also provides an access con- 40 
trol processor for incrementally recaving authenticated 
access rights. The access control processor includes 
means for receiving a plurality of messages containing 
subgroups of access control data defining the access 
rights. Means are provided for deriving a cryptographic 45 
key using the authenticated data contained in a current 
one of the messages upon receipt of that message. A 
plurality of storage banks is provided for storing different 
ones of the subgroups. Each of the storage banks has a 
validity designation associated therewith for the crypto- so 
graphic key. A comparator is provided for comparing the 
cryptographic key to a cryptographic key under which 
data contained in the storage banks was authenticated 
to determine if the keys match. Means responsive to the 
comparing means set the validity designation for the key ss 
to a valid state for each storage bank that Is storing data 
authenticated by ttie cun^ent message, without changing 
the validity designation of any other storage banK if the 
keys match. Means responsive to the comparing means 



set the validity designation for the key to a valid state for 
each storage bank that is storing data authenticated by 
ttie current message, and for setting ttie validity desig- 
nation for that key to an invalid state for all other storage 
banks If the keys do not match. Access under the ayp- 
tographic key is limited to that provided by access rights 
contained in storage banks having a validity designation 
in a valid state for that key. 

The processor can maintain first and second differ- 
ent cryptographic keys under which access rights are 
authenticated. A first validity designation is maintained 
for the first key and a second validity designation is main- 
tained for the second key for each of the banks. Access 
via a particular one of the keys is limited to that provided 
by access rights contained in storage banks having a 
validity designation in a valid state for that key. 

A replacement can be provided for one of the first 
and second keys together with one or more subgroups 
authenticated under the replacement. In such an embod- 
iment, the apparatus of the present invention further 
comprises means for storing each of ttie subgroups 
ti'ansmrtted with the replacement key in a corresponding 
one of the storage banks. Means are provided for setting 
the validity designation for ttie replacement key to a valid 
state for those storage banks holding a subgroup authen- 
ticated under the replacement key. Means are provided 
for setting the validity designation for the replacement 
key to an invalid state for those storage banks holding a 
subgroup ttiat was not authenticated under the replace- 
ment key. Means are also provided for setting the validity 
designation for ttie key ttiat was not replaced to an invalid 
state for those storage banks holding a new subgroup 
ttiat was authenticated under the replacement key and 
differs from the previous subgroup stored in tiiat storage 
bank. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Rgure 1 is a block diagram of an access control 
processor in accordance witii ttie present invention; 
Rgure 2 is a block diagram illustrating, in simplified 
form, an example of a key hierarchy that can be used 
by an uplink processor to provide cryptographically 
secure data for transmission; 
Figure 3 is a block diagram illustrating, in simplified 
form, an example of a key hierarchy that can be used 
for decryption of the cryptographically secure data 
at a decoder; 

Figures 4a to 4c are diagrammatic illustrations used 
to show how access rights are incrementally distrib- 
uted in accordance with the present invention; 
Figures 5a to 5b illustrate, in diagrammatic form, a 
further example of the invention in which a plurality 
of different cryptographic keys are maintained under 
which access rights are auttienticated and distrib- 
uted incrementally; 

Figures 6a to 6b illustt-ate an exanrple In which a 
replacement category key is provided witti no 
change in access rights; and 
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Figures 7a to 7c illustrate an example in which two 
different subgroups of access rights are incremen- 
tally delivered and authenticated under two category 
keys. 

5 

DETAILED DESCRIPTION OF THE INVENTION 

Figure 1 illustrates a secure access control proces- 
sor that can be used, for example, to receive and decrypt 
digital television signals in accordance with the present io 
invention. The signals to be decrypted are input via ter- 
minal 1 0 to a decryptor 20. The decryptor receives work- 
ing keys necessary to decrypt the input data from a 
processor. The processor addresses memory 16 in a 
conventional manner, in order to store various data is 
including decrypted keys, access rights and validity des- 
ignations as described in more detail below. Encrypted 
keys are input to the processor 1 4 via terminal 1 2. A com- 
parator 22 is provided in accordance with the present 
invention in order to compare a newly derived key with a 20 
prior key stored in memory 16. This comparison is used 
in order to set the state of the validity designations men- 
tioned above. 

Figure 2 describes, in simplified form, a key hierar- 
chy that can be used for key encryption. e.g., at a satellite 2s 
uplink. A unit key which is specific to a particular sub- 
scriber decoder is input via terminal 30 to an exclusive 
OR (XOR) function 31 which also receives access rights 
via terminal 32' Access control involves defining, on a 
unit by unit basis, the access rights granted to that par- 30 
ticular unit. Access rights are authenticated in a "cate- 
gory key," which changes periodically, for example on a 
monthly basis. Each program, which represents a time 
slice from one service such as HBO, defines specific 
"access requirements" which must be present in order 35 
to grant the right to decrypt that program. The access 
requirements are authenticated in a "program key" which 
is valid for the duration of the program. An access control 
processor regularly receives "category rekey" messages 
defining its set of access rights. 40 

The unit key for a particular subscriber decoder is 
derived from quantities stored in a secure random 
access memory (RAM) at the time the access control 
processor within the decoder is manufactured. 

The access rights input via terminal 32 are also 45 
XOR'ed via XOR 38 with a category key input via termi- 
nal 34 and encrypted in a first encryption circuit 36. As 
indicated above, the category key is changed on a peri- 
odic basis. One specific category key is delivered, in an 
encrypted form, to a subset of the full population of so 
decoders. The operation used to encrypt the category 
key is invertible. The property of invertability plus knowl- 
edge of unit keys allows a system operator to prepare an 
encrypted category key that will result in a desired cate- 
gory key. 55 

As shown in Figure 2, the encrypted category key is 
provided by an enayption circuit 40 that receives the out- 
puts of XOR's 31 and 38 as inputs. Thus, the encrypted 



category key is dependent on the unit key and category 
key and authenticates the access rights. 

The encoder also provides an encrypted program 
pre-key that is required by the decoder in order to derive 
the program key for the program. The program pre-key 
is input via terminal 42 to an encryption circuit 44 that 
encrypts the program pre-key under the category key to 
provide the enaypted program pre-key. 

The program pre-key is also input to a one-way func- 
tion 48 which receives the access requirements for the 
particular program via terminal 46. The one-way function 
combines the program pre-key and access requirements 
to provide the program key necessary to generate work- 
ing keys via a working key generator 50, in a conventional 
manner Working keys are simply keys that vary with 
time, dependent upon the program key. Minimizing re- 
use of working keys throughout a program defends 
against certain cryptographic attacks. The working key 
is applied as an initializing key to decrypt the digital data 
comprising the digital service being access controlled. 
Such decryption typically uses a cipher-block-chaining 
(GBC) approach. 

Rgure 3 illustrates an example of a key hierarchy 
that can be used for the decoder processing at the cat- 
egory and program key levels. The access rights input 
via terminal 54 are XOR'ed in an XOR 56 with the unit 
key for the particular decoder input via terminal 52. The 
result is input to a decryption circuit 58 which receives 
the XOR of the access rights and the output of a decryp- 
tion circuit 62. The decryption drcuit 62 partially decrypts 
the enaypted category key received via terminal 60. 
Assuming that the access rights and unit key match 
those values used in the encryption process, the output 
of decryption circuit 58 will be the same category key that 
was encrypted. 

The recovered category key is used to decrypt the 
encrypted program pre-key input via terminal 66 to 
decryption circuit 68. This provides the program pre-key 
for input to one-way function 72. The access require- 
ments for the program to which the program pre-key cor- 
responds are input to one-way function 72 via terminal 
70. This enables the program key to be recovered for use 
by working key generator 74 in generating the working 
keys necessary to dedpher the program. 

In practice, the access rights and access require- 
ments data blocks may be many bytes in length. Thus, 
the XOR, decrypt/encrypt and one-way function opera- 
tions will typically be cascaded and repeated enough 
times in an actual implementation so that all data is fac- 
tored in. For example, the data blocks may have eight- 
byte data and seven-byte keys or may embody other 
cryptographic algorithms, as desired. The use of eight- 
byte data blocks and seven-byte keys is conventional in 
the Data Encryption Standard (DES) algorithm, details 
of which Ceui be found in Federal Information Processinc 
Standards Publication 46 fFIPS Pub. 46") issued by the 
National Bureau of Standards, U.S. Department of Com- 
merce, "Announcing The Data Encryption Standard," 
January 15. 1977 and FIPS Pub. 74. "Guidelines for 
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Implementing and Using the NBS Data Encryption 
Standard," April 1, 1981. 

When the number of bytes required to define access 
rights becomes large enough, one single category rekey 
message cannot hold the full description. The limitation 
on category rekey length may be, for example, two hun- 
dred bytes. The present invention overcomes this mes- 
sage length limitation by delivering the access rights in 
an incremental manner. More particularly, the present 
invention breaks access rights down into a plurality of 
data subgroups stored in "^anks." Each instance of the 
category rekey message carries one or more subgroups, 
up to the limitation of the length of the message. Each 
subgroup is stored in a respective bank in secure RAM 
in the access control processor along with at least one 
"validity bit", used by the access control processor to 
keep track of the state of the bank When the validity bit 
is set to a 'Valid** state (e.g., validity bit set), it Indicates 
that the bank holds data that can be used to match 
access requirements and grant authorization. When the 
validity bit is set to an "invalid** state (e.g. validity bit 
clear), it irxjicates that the data in the bank cannot be 
used to grant authorization. 

Whenever a category rekey message arrives in the 
access control processor, it is processed as follows: 

1 . The category key is derived; 

2. If the category key matches the previously deliv- 
ered category key exactly, then any banks authenti- 
cated in the derivation of the current category key 
are marked valid and the validity bits associated with 
banks not involved in the derivation are left 
unchanged. 

3. If the category key does not exactly match the pre- 
viously delivered category key. then any banks 
authenticated in the derivation of the current cate- 
gory key are marked valid, but validity bits associ- 
ated with any banks not involved in the derivation 
are set to the invalid state. The new category key is 
stored. 

This process enedbles the incremental delivery of 
access rights, while retaining cryptographic security in 
the authentication of the access rights data delivered. A 
key el ement of the inventive approach is that if the current 
category key exactly matches the previous category key. 
the banks previously authenticated under the previous 
key and validated can remain validated. In this manner, 
later messages effectively build upon prior messages. 

Since any changes to access rights will affect the 
resulting derivation of the category key. any attempt to 
tamper with the content of one*s access rights data in 
order to steal services (i.e.. a pirate attack) will preverrt 
a key match from occurring. Thus, the prior banks' data 
will become Invalid upon derivation of the incorrect cat- 
egory key. 

The data labeled as "access rights" in Rgures 2 and 
3 does not have to exactly comprise the access rights 
data ultimately stored in secure memory. The actual data 



validated may be the instructions used to define the data 
as it will be stored. The category rekey message may 
deliver data structures which include control bytes indi- 
cating the format of data blocks to follow. The control byte 
5 may. for example, indicate that the bank indicated by the 
preceding field Is to be cleared to zero, or that the bank 
data to follow Is a list of bits to be set instead of a bit 
mask. Given that the control bytes and parameters are 
authenticated, the result of the expansion or processing 
10 of the instructions is also authenticated. 

Rgures 4a to 4c illustrate an example in whidi 
access rights data are delivered incrementally in accord- 
ance with the present invention. In the initial state illus- 
trated by Figure 4a, the access control processor holds 
15 access rights data in two banks 82. 88. Each bank has 
a validity designation 84. 88 respectively, associated 
therewith. In the initial state, the validity designations for 
both banks are set to a valid state (V^i). The access 
control processor also holds the key under which the 
access rights data is authenticated, namely, category 
key X stored in key store 80. 

Rgure 4b illustrates tiie delivery of a new category 
key and subgroup of access rights data via a category 
rekey message generally designated 90. The category 
rekey message includes an encrypted category key 92 
(encrypted category key Y) as well as subgroup 94 of 
new access rights data. The new category key is stored 
in key store 80 and the new subgroup of access rights 
data is stored in bank 82. Subgroup 94 is authenticated 
urxJer the new category key 92. Thus, when this sub- 
group is stored in bank 82, the validity designation 84 for 
bank 82 is set to (i.e., remains) valid. On the other hand, 
since the new category key (category key Y) does not 
nnatch tiie prior category key (category key X). the valid- 
ity designation 88 for bank 86 is set to an invalid state 
(V=:0). This is necessary because the access rights data 
(access rights data A) cun-ently stored in bank 86 has 
not been authenticated under tiie current category key 
(dategory key Y). 

Rgure 4c illustrates a subsequent delivery of new 
access rights data (i.e.. subgroup 95) for storage in bank 
86. The new access rights data is provided by category 
rekey message 96. which carries the same encrypted 
category key 92 (category key Y) that was carried by the 
previous category rekey message 90 (Figure 4b). Since 
subgroup 95 is authenticated under category key Y. 
which is stored in key store 80, the validity designation 
88 for bank 86 is set to a valid state when subgroup 95 
is loaded into bank 86. Since the result of derivation of 
the category key when authenticating subgroup 95 
resulted in the same category key (category key Y) tiiat 
was already stored in key store 80. the validity designa- 
tion 84 for bank 82 Is unchanged. The result is that both 
banks are now authenticated under category key Y. even 
though the access rights subgroups stored in tiie two 
banks were delivered separately. It is noted tiiat tiie sub- 
groups 94 and 95 could have been delivered in the oppo- 
site order, with the same end result 
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In a preferred embcxliment, the access control proc- 
essor holds two category keys. One category key is used 
for a current time period (e.g. the current month) and the 
second is used for a subsequent time period (e.g., the 
following month). Two keys are required to provide a s 
seamless transition aaossthe month boundary Such an 
arrangement allows a system operator to predeliver next 
month's key without affecting the cun'ent month's trans- 
actions. In order words, a category key for a subsequent 
time period can be delivered without creating a period of to 
time where one or more banks are invalidated during the 
delivery of the new key. 

In accordance with the present invention, the main- 
tenance of two category keys with only a single set of 
banks is permitted by providing a second validity desig- is 
nation for each bank. Each validity designation is asso- 
ciated with (i.e., "points" to) a specific category key. This 
can be accomplished, for example, either by quoting the 
sequence number of tiie category key or by using an 
even/odd parity scheme. 20 

In a dual key implementation, the processing rules 
are refined to accommodate the validation bytes for 
banks already validated by one key when the second key 
arrives. T>ie category rekey message in such implemen- 
tations may treat a bank in one of three ways. In partic- 25 
ular. the bank may be redefined by the category rekey 
message, it may be uninvolved in the autiientication 
processing of the message, or the bank may be assumed 
to be unchanged from a definition received previously, 
but autiienticated in the derivation of tiie new category 30 
key. In the later case, the data in the bank is involved in 
the encryption/decryption of the category key, but the 
actual data in the bank is not included in the message. 

Examples for the inaemental delivery of access 
rights where two keys are held by the access control 35 
processor are illustrated in Figures 5a, 5b; 6a, 6b; and 
7a. 7b, 7c. Figures 5a and 6a each illustrate the same 
initial corxjitions. in which an even category key 100 (cat- 
egory key X) and an odd category key 102 (category key 
W) are present in the access control processor. A first 40 
bank 104 holds a first subgroup of access rights. Two 
validity designations are associated with this bank. Valid- 
ity designation 1 06 pertains to information authenticated 
under the even key. Validity designation 108 pertains to 
information authenticated under the odd key A second 45 
bank 1 1 0 holds a second subgroup of access rights. The 
second bank is associated with validity designations 1 1 2 
and 114. Validity designation 1 12 pertains to information 
authenticated under the even key and validity designa- 
tion 1 1 4 pertains to information authenticated under the so 
odd key. In the initial state, ail four validity designations 
are set to a valid state (V:=1). 

In Rgure 5b, a category rekey message 120 is 
received which includes a new encrypted category key 
1 22 (category key Y) and a new subset of access rights ss 
1 24 to be stored in the first bank. Upon receipt of a cat- 
egory rekey message containing a single category key, 
as illustrated in Rgure 5b, the category key is first derived 
by decrypting tiie encrypted category key as illustrated 



in Figure 3. The resultant category key is stored in cate- 
gory key store 102. The validity designation for each 
bank redefined or authenticated by the new category key 
stored in category key store 102 is set to a valid state. It 
is noted that any bank which is redefined by a category 
rekey message is also authenticated under the keys car- 
ried by that message. 

For each bank redefined by a new category rekey 
message, tiie validity designation for the other category 
key (i.e., the category key that is not contained in the cat- 
egory rekey message) is set to an invalid state. Thus, in 
Figure 5b the validity designation 106 for tiie category 
key that is not contained in the category rekey message 
(i.e., "even" category key X stored in key store 100) is set 
to tiie invalid state (V^sO). Validity designation 108 is set 
(i.e., maintained) in a valid state since the ''odd" key (cat- 
egory key Y stored in key store 1 02) was provided by tiie 
category rekey message and is the key under which tiie 
new access rights stored in thefirst bank 104 are authen- 
ticated. 

In the event that the newly derived category key 
does not exactiy match the previous value for that key 
(i.e., if a new even key does not match the prior even key 
or if a new odd key does not match tiie prior odd key), all 
validity designations associated with that key are set to 
an invalid state, except for those banks that are redefined 
and authenticated or simply authenticated by tiie new 
category key provided by the category rekey message. 
It should be noted that the validity designations associ- 
ated with the other category key are unchanged for any 
banks authenticated but not redefined in the present 
message. Thus, in Figure 5b, after the receipt of a new 
odd category key (category key Y) under which the 
access rights stored in ttie first bank 104 are autiienti- 
cated. the validity designations 106 and 114 will be set 
to an invalid state while the validity designations 1 08 and 
1 12 will remain in a valid state. More particularly, access 
designation 106 is set to an invalid state because tiie 
even key (category key X) was not used to authenticate 
tiie access rights stored in first bank 104. Validity desig- 
nation 1 14 is set to an invalid state because tiie access 
rights stored in second bank 110 were not authenticated 
under the new odd key (category key Y). 

In the example illustrated by Figures 6a and 6b, a 
new odd category key 122 is provided by the category 
rekey message 125 without any change in the access 
rights. In this case, both banks are reauthenticated in tiie 
delivery of the odd category key. Thus, the validity des- 
ignations 108 and 1 14 for the odd key remain in a valid 
state. Since no banks were redefined, tiie validity desig- 
nations 106, 112 for tiie even key are also unchanged 
from the initial conditions illustrated in Figure 6a. 

In order to avoid disruption of a current month's 
authorization if any banks are redefined during delivery 
of the next month's key, both keys must be delivered in 
tiie category rekey message. An example of this is 
shown in Figures 7a through 7c. figure 7a shows the 
same initial conditions illustrated in Figure 6a 
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Whenever two keys are present in the category 
rekey message, the authenticated data used in the 
encryption is common to both keys. In other words, the 
first key cannot be defined to authenticate one bank with 
the second key authenticating the second bank. If two s 
banks are redefined, both keys must authenticate both 
banks. 

Upon receipt of a category rekey message contain- 
ing encrypted odd and even category keys, one of the 
keys (e.g., the even key) isfirst derived. The validity des- io 
Ignations corresponding to the derived key are then set 
to a valid state for any banks redefined or authenticated 
by the category rekey message. If the derived key does 
not exactly match the previous value of that key, then all 
of the validity designations associated with that key, is 
except for those banks redefined or authenticated there- 
under, are set to an invalid state. 

After the first category key has been derived and its 
corresponding validity designations have been set or 
cleared, the second key is derived. The validity designa- 20 
tions for any banks redefined or authenticated in tiie cat- 
egory rekey message are then set to a valid state for the 
second key. The derived second key is then compared 
with the previous value of tiiat key. and absent an exact 
match, all of the validity designations associated with 2s 
that key are set to an invalid state except for those banks 
redefined or authenticated in the current category rekey 
message. 

In the example of Figure 7b. two keys 132 and 134 
are delivered in category rekey message 130. together 30 
with new access rights data 136 for the first bank 104. 
Category key X (derived from encrypted key 132) is the 
key for the cun-ent epoch (i.e., the cun-ent month), and is 
therefore the same key that is already present in the 
access control processor and stored in key store 100. 3S 
Category key Y. which is derived from the encrypted key 
134 in the category rekey message 130. is a new key for 
the next epoch and will overwrite the prior category key 
Win key store 102. 

After processing the category rekey message 130. 40 
the first bank 104. which stores the new access rights 
data 1 36. is vaPrdated for both key parities, since the first 
bank was redefined in the message and authenticated 
under both the even and odd keys. Thus, validity desig- 
nations 106 and 108 are both set to a valid state. The 45 
validation of the second bank 1 10 is unchanged for tfie 
even key. since category key X as derived from the cat- 
egory rekey message exactly matched the value already 
held. Validity designation 112 is therefore set to (i.e.. 
remains In) a valid state. The second bank validation is so 
cleared for the odd key, since category key Y as derived 
from the category rekey message does not match the 
previous value of category key W held in the odd key 
store 102. Thus, validity designation 114 is set to an 
invalid state. 55 

In the example illustrated in Rgure 7c. a category 
rekey message 140 arrives redefining the second bank 
110. The new category rekey message 140 immediately 
follows category rekey message 130 of Rgure 7b. After 



processing this message, all banks become validated for 
both keys. More particularly, the second bank 1 10 is val- 
idated for both key parities, since that bank was rede- 
fined in the message and authenticated under both keys. 
The validation of first bank 1 04 is unchanged for the even 
key, since category key X as derived matched the value 
already held in key store 100. Similarly, the validation of 
first bank 104 for the odd key is unchanged, since cate- 
gory key Y as derived from category rekey message 1 40 
exactiy matches the previous value held in the odd key 
store 102. 

The final result of the delivery of the two category 
rekey messages as illustrated in Figures 7b and 7c is 
that both banks are now validated for the new category 
key (category key Y). The delivery of the two messages 
could have occurred in either order without affecting the 
outcome. Furthermore, both banks continued to be val- 
idated for the current month's key (category key X) during 
the delivery process. Thus, no interruption in service 
results from the incremental delivery of access rights in 
accordance with the present invention. 

It should now be appreciated tiiat tiie present inven- 
tion provides a metiiod and apparatus for incrementally 
delivering authenticated access rights to an access con- 
trol processor. Data defining tine access rights is divided 
into a plurality of subgroups which are incrementally 
delivered to an access control processor Validity desig- 
nations are used to keep track of authenticated access 
rights that can be used for providing access to a partic- 
ular data stream. 

Although the invention has been desaibed in con- 
nection with various illustrated embodiments, those 
skilled in the art will appreciate tiiat numerous adapta- 
tions and modifications may be made thereto without 
departing from the spirit and scope of the invention as 
set forth in the claims. 

Claims 

1 . A method for incrementally delivering authenticated 
access rights to an access control processor, com- 
prising the steps of: 

dividing data defining said access rights into 
a plurality of subgroups; 

transmitting said subgroups to said proces- 
sor as authenticated data in a plurality of messages; 

deriving a current cryptographic key using tiie 
authenticated data contained in a current message 
upon receipt of that message by said processor; 

storing each of said subgroups in a corre- 
sponding storage bank of said processor, each of 
said storage banks having a validity designation 
associated therewith for said cryptographic key; 

connparing said current cryptographic key to 
a cryptographic key from a prior message under 
which siibgroups stored in said storage banks were 
authenticated to determine if the keys match; 

if said keys match, setting the validity desig- 
nation for tiiat key to a valid state for each storage 
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bank that is storing data authenticated by said cur- 
rent message, without changing that key's validity 
designation for any other storage bank; and 

if said keys do not match, setting the validity 
designation for that key to a valid state for each stor- 5 
age bank that is storing data authenticated by said 
cun-ent message and setting that key's validity des- 
ignation for all other storage banks to an invalid 
state; 

wherein access under the cun^ent crypto- 10 
graphic key is limited to that provided by access 
rights contained in storage banks having a validity 
designation for that key in a valid state. 

A method in accordance with claim 1 wherein first is 
and second different cryptographic keys under 
which access rights are authenicated are main- 
tained by said processor at the same time, said 
method comprising the further step of: 

providing each of said storage banks with a 20 
first validity designation for said first key and a sec- 
ond validity designation for said second key; 

wherein access via a particular one of said 
keys is limited to that provided by access rights con- 
tained in storage banks having a validity designation 25 
in a valid state for that key 

A method in accordance with claim 1 or 2 comprising 
the further steps of: 

transmitting a replacement for one of said first 30 
and second keys in one of said messages together 
with one or more subgroups authenticated under 
said replacement; 

storing each of the subgroups transmitted 
with said replacement key in a corresponding one of 3S 
said storage banks; 

setting the validity designation -for the 
replacement key to a valid state for those storage 
banks holding a subgroup authenticated under the 
replacement key; 4o 

setting the validity designation for the 
replacement key to an invalid state for those storage 
banks holding a subgroup that was not authenti- 
cated under the replacement key; and 

setting the validity designation for the key that 45 
was not replaced to an invalid state for those storage 
banks holding a subgroup that was authenticated 
under the replacement key and differs from the pre- 
vious subgroup stored in that storage bank. 

so 

A method in accordance with daim 3 wherein the 
message carrying said replacement key also carries 
a duplicate of the key that was not replaced. 

A method in accordance with any of claims 1 to 4 55 
comprising the further step of transmitting replace- 
ment keys on a periodic basis. 



6. An access control processor for incrementally 
receiving authenticated access rights, comprising: 

means for receiving a plurality of messages 
containing subgroups of access control data defin- 
ing said access rights; 

means for deriving a current cryptographic 
key using tiie authenticated data contained in a cur- 
rent one of said messages upon receipt of that mes- 
sage; 

a plurality of storage banks for storing differ- 
ent ones of said subgroups, each of said storage 
banks having a validity designation associated 
tiierewith for said cryptographic key; 

means for comparing said current crypto- 
graphic key to a cryptographic key under which data 
contained in said storage banks was authenticated 
to determine if the keys match; 

means responsive to said comparing means 
for setting the validity designation for the current 
cryptographic key to a valid state for each storage 
bank that is storing data authenticated by said cur- 
rent message, without changing that key's validity 
designation for any other storage k>anK if the keys 
match; and 

means responsive to said comparing means 
for setting tiie validity designation for the current 
cryptographic key to a valid state for each storage 
bank that is storing data autiienticated by said cur- 
rent message, and for setting that key's validity des- 
ignation for all other storage banks to an invalid state 
if the keys do not nr^tch; 

wherein access under tfie current crypto- 
graphic key is limited to that provided by access 
rights contained in storage t)anks having a validity 
designation for that key in a valid state. 

7. Apparatus in accordance witii daim 6 wherein: 

said processor maintains first and second dif- 
ferent cryptographic keys under which access rights 
are authenticated; 

a first validity designation is maintained for 
said first key and a second validity designation is 
maintained for said second key for each of said 
thanks; and 

access via a particular one of said keys is lim- 
ited to that provided by access rights contained in 
storage banks having a validity designation in a valid 
state for that key. 

8. Apparatus in accordance witii claim 6 or 7 wherein 
a replacement is provided for one of said first and 
second keys together with one or more subgroups 
authenticated under said replacement, said appara- 
tus further comprising: 

means for storing each of the subgroups 
transmitted with said replacement key in a corre- 
sponding one of said storage banks; 

means for setting the validity designation for 
the replacement key to a valid state for those storage 
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banks holding a subgroup authenticated under the 
replacement key; 

means for setting the validity designation for 
the replacement key to an irrvaltd state for those stor- 
age banks holding a subgroup that was not authen- 5 
ticated under the replacement key; 

means for setting the validity designation for 
the key that was not replaced to a valid state for 
those storage banks holding a subgroup authenti- 
cated under that key; and w 

means for setting the validity designation for 
the key that was not replaced to an invalid state for 
those storage banks holding a subgroup that was 
not authenticated under that key. 
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